………………………….A Positive Attitude



(Akshay Kumar Sahoo, Orissa)

Population: 1,147,995,898


Aryan tribes from the northwest infiltrated onto the Indian subcontinent

about 1500 B.C.; their merger with the earlier Dravidian inhabitants

created the classical Indian culture. The Maurya Empire of the 4th

and 3rd centuries B.C. – which reached its zenith under ASHOKA –

united much of South Asia. The Golden Age ushered in by the Gupta

dynasty (4th to 6th centuries A.D.) saw a flowering of Indian science,

art, and culture. Arab incursions starting in the 8th century and

Turkic in the 12th were followed by those of European traders,

beginning in the late 15th century. By the 19th century, Britain

had assumed political control of virtually all Indian lands. Indian

armed forces in the British army played a vital role in both World Wars.

Nonviolent resistance to British colonialism led by Mohandas GANDHI

and Jawaharlal NEHRU brought independence in 1947. The subcontinent

was divided into the secular state of India and the smaller Muslim

state of Pakistan. A third war between the two countries in 1971

resulted in East Pakistan becoming the separate nation of Bangladesh.

India‘s nuclear weapons testing in 1998 caused Pakistan to conduct

its own tests that same year. The dispute between the countries

over the state of Kashmir is ongoing, but discussions and

confidence-building measures have led to decreased tensions

since 2002. Despite impressive gains in economic investment

and output, India faces pressing problems such as significant

overpopulation, environmental degradation, extensive poverty,

and ethnic and religious strife.


·  Geography

·  People

·  Government

·  Economy

·  Communications

·  Transportation

·  Military


Dominates South Asian subcontinent; near important

Indian Ocean trade routes; Kanchenjunga, third

tallest mountain in the world, lies on the border with Nepal.


Location: Southern Asia, bordering the Arabian Sea

and the Bay of Bengal, between Burma and Pakistan

Geographic coordinates: 20 00 N, 77 00 E

Area: total: 3,287,590 sq km
land: 2,973,190 sq km
water: 314,400 sq kmSize comparison: slightly more

than one-third the size of the US

Land Boundaries: total: 14,103 km
border countries: Bangladesh 4,053 km, Bhutan 605 km,

Burma 1,463 km, China 3,380 km, Nepal 1,690 km, Pakistan 2,912 km

Coastline: 7,000 km

Maritime claims: territorial sea: 12 nm
contiguous zone: 24 nm
exclusive economic zone: 200 nm
continental shelf: 200 nm or to the edge of the continental margin

Climate: varies from tropical monsoon in south to temperate in north

Terrain: upland plain (Deccan Plateau) in south, flat to

rolling plain along the Ganges, deserts in west, Himalayas in nort

Elevation extremes: lowest point: Indian Ocean 0 m
highest point: Kanchenjunga 8,598 m

Natural resources: coal (fourth-largest reserves in the world), iron ore,

manganese, mica, bauxite, titanium ore, chromite, natural gas, diamonds,

petroleum, limestone, arable land

Land use: arable land: 48.83%
permanent crops: 2.8%
other: 48.37% (2005)

Irrigated land: 558,080 sq km (2003)

Natural hazards: droughts; flash floods, as well as widespread

and destructive flooding from monsoonal rains; severe thunderstorms;


Current Environment Issues: deforestation; soil erosion; overgrazing;

desertification; air pollution from industrial effluents and vehicle emissions;

water pollution from raw sewage and runoff of agricultural pesticides;

tap water is not potable throughout the country; huge and growing population

is overstraining natural resources

International Environment Agreements: party to: Antarctic-Environmental

Protocol, Antarctic-Marine Living Resources, Antarctic Treaty, Biodiversity,

Climate Change, Climate Change-Kyoto Protocol, Desertification, Endangered

Species, Environmental Modification, Hazardous Wastes, Law of the Sea,

Ozone Layer Protection, Ship Pollution, Tropical Timber 83, Tropical Timber 94,

Wetlands, Whaling signed, but not ratified: none of the selected agreements

Population: 1,147,995,898 (July 2008 est.)

Age structure: 0-14 years: 31.5% (male 189,238,487/female 172,168,306)
15-64 years: 63.3% (male 374,157,581/female 352,868,003)
65 years and over: 5.2% (male 28,285,796/female 31,277,725) (2008 est.)

Median age: total: 25.1 years
male: 24.7 years
female: 25.5 years (2008 est.)

Population growth rate: 1.578% (2008 est.)

Birth rate: 22.22 births/1,000 population (2008 est.)

Death rate: 6.4 deaths/1,000 population (2008 est.)

Net migration rate: -0.05 migrant(s)/1,000 population (2008 est.)

Sex ratio: at birth: 1.12 male(s)/female
under 15 years: 1.1 male(s)/female
15-64 years: 1.06 male(s)/female
65 years and over: 0.9 male(s)/female
total population: 1.06 male(s)/female (2008 est.)

Infant mortality rate: total: 32.31 deaths/1,000 live births
male: 36.94 deaths/1,000 live births
female: 27.12 deaths/1,000 live births (2008 est.)

Life expectancy at birth: total population: 69.25 years
male: 66.87 years
female: 71.9 years (2008 est.)

Total fertility rate: 2.76 children born/woman (2008 est.)

HIV/AIDS – adult prevalence rate: 0.9% (2001 est.)

HIV/AIDS – people living with HIV/AIDS: 5.1 million (2001 est.)

HIV/AIDS – deaths: 310,000 (2001 est.)

Nationality: noun: Indian(s)
adjective: Indian

Ethnic groups: Indo-Aryan 72%, Dravidian 25%, Mongoloid and

other 3% (2000)

Religions: Hindu 80.5%, Muslim 13.4%, Christian 2.3%, Sikh 1.9%,

other 1.8%, unspecified 0.1% (2001 census)

Languages: Hindi 41%, Bengali 8.1%, Telugu 7.2%, Marathi 7%,

Tamil 5.9%, Urdu 5%, Gujarati 4.5%, Kannada 3.7%, Malayalam 3.2%,

Oriya 3.2%, Punjabi 2.8%, Assamese 1.3%, Maithili 1.2%, other 5.9%

note: English enjoys associate status but is the most important language

for national, political, and commercial communication; Hindi is the national

language and primary tongue of 41% of the people; there are 14 other

official languages: Bengali, Telugu, Marathi, Tamil, Urdu, Gujarati,

Malayalam, Kannada, Oriya, Punjabi, Assamese, Kashmiri, Sindhi,

and Sanskrit; Hindustani is a popular variant of Hindi/Urdu spoken

widely throughout northern India but is not an official language (2001 census)

Literacy: definition: age 15 and over can read and write
total population: 61%
male: 73.4%
female: 47.8% (2001 census)

Country name: conventional long form: Republic of India
conventional short form: India
local long form: Republic of India/Bharatiya Ganarajya
local short form: India/Bharat

Government type: federal republic

Capital: name: New Delhi
geographic coordinates: 28 36 N, 77 12 E
time difference: UTC+5.5

(10.5 hours ahead of Washington, DC during Standard Time)

Administrative divisions: 28 states and 7 union territories*;

Andaman and Nicobar Islands*, Andhra Pradesh, Arunachal Pradesh,

Assam, Bihar, Chandigarh*, Chhattisgarh, Dadra and Nagar Haveli*,

Daman and Diu*, Delhi*, Goa, Gujarat, Haryana, Himachal Pradesh,

Jammu and Kashmir, Jharkhand, Karnataka, Kerala, Lakshadweep*,

Madhya Pradesh, Maharashtra, Manipur, Meghalaya, Mizoram, Nagaland,

Orissa, Puducherry*, Punjab, Rajasthan, Sikkim, Tamil Nadu, Tripura,

Uttar Pradesh, Uttarakhand, West Bengal

Independence: 15 August 1947 (from UK)

National holiday: Republic Day, 26 January (1950)

Constitution: 26 January 1950; amended many times

Legal system: based on English common law; judicial review of

legislative acts; accepts compulsory ICJ jurisdiction with reservations;

separate personal law codes apply to Muslims, Christians, and Hindus

Suffrage: 18 years of age; universal

Executive branch: chief of state: President Pratibha PATIL (since 25 July 2007);

Vice President Hamid ANSARI (since 11 August 2007)
head of government: Prime Minister Manmohan SINGH (since 22 May 2004)
cabinet: Cabinet appointed by the president on the

recommendation of the prime minister
elections: president elected by an electoral college consisting of

elected members of both houses of Parliament and the legislatures

of the states for a five-year term (no term limits); election last held

21 July 2007 (next to be held in July 2012); vice president elected

by both houses of Parliament for a five-year term; election last held

12 August 2002 (next to be held August 2007); prime minister chosen

by parliamentary members of the majority party following legislative elections;

election last held April – May 2004 (next to be held May 2009)
election results: Pratibha PATIL elected president; percent of vote – 65.8%;

Bhairon Singh SHEKHAWAT – 34.2%

Legislative branch: bicameral Parliament or Sansad consists of the

Council of States or Rajya Sabha (a body consisting of not more than

250 members up to 12 of whom are appointed by the president, the

remainder are chosen by the elected members of the state and territorial

assemblies; members serve six-year terms) and the People’s Assembly

or Lok Sabha (545 seats; 543 elected by popular vote, 2 appointed by

the president; members serve five-year terms)
elections: People’s Assembly – last held 20 April through 10 May 2004

(next must be held by May 2009)
election results: People’s Assembly – percent of vote by party – NA;

seats by party – INC 147, BJP 129, CPI (M) 43, SP 38, RJD 23, DMK 16,

BSP 15, SS 12, BJD 11, CPI 10, NCP 10, JD (U) 8, SAD 8, PMK 6, JMM 5,

LJSP 4, MDMK 4, TDP 4, TRS 4, independent 6, other 29, vacant 13;

note – seats by party as of December 2006

Judicial branch: Supreme Court (one chief justice and 25 associate

justices are appointed by the president and remain in office until they

reach the age of 65 or are removed for “proved misbehavior”)

Political parties and leaders: Bahujan Samaj Party or BSP [MAYAWATI];

Bharatiya Janata Party or BJP [Rajnath SINGH]; Biju Janata Dal or BJD

[Naveen PATNAIK]; Communist Party of India or CPI

[Ardhendu Bhushan BARDHAN]; Communist Party of India-Marxist or CPI-M

[Prakash KARAT]; Dravida Munnetra Kazagham or DMK [M. KARUNANIDHI];

Indian National Congress or INC [Sonia GANDHI]; Janata Dal

(United) or JD(U) [Sharad YADAV]; Jharkhand Mukti Morcha or JMM

[Shibu SOREN]; Left Front (an alliance of Indian leftist parties);

Lok Jan Shakti Party or LJSP [Ram Vilas PASWAN];

Marumalarchi Dravida Munnetra Kazhagam or MDMK

[V. Gopalswamy VAIKO]; Nationalist Congress Party or NCP

[Sharad PAWAR]; Pattali Makkal Katchi or PMK [S. RAMADOSS];

Rashtriya Janata Dal or RJD [Laloo Prasad YADAV];

Samajwadi Party or SP [Mulayam Singh YADAV];

Shiromani Akali Dal or SAD [Parkash Singh BADAL];

Shiv Sena or SS [Bal THACKERAY]; Telangana Rashtriya

Samithi or TRS [K. Chandrashekhar RAO]; Telugu Desam

Party or TDP [Chandrababu NAIDU]; United Progressive

Alliance or UPA [Sonia GANDHI] (India’s ruling party

coalition of 12 political parties); note – India has dozens

of national and regional political parties; only parties or

coalitions with four or more seats in the People’s Assembly are listed

Political pressure groups and leaders: All Parties Hurriyat

Conference in the Kashmir Valley (separatist group); Bajrang Dal

(religious organization); National Socialist Council of Nagaland

in the northeast (separatist group); Rashtriya Swayamsevak Sangh

(religious organization); Vishwa Hindu Parishad (religious organization
other: numerous religious or militant/chauvinistic organizations;

various separatist groups seeking greater communal and/or regional autonomy

International organization participation: ADB, AfDB (nonregional members),

ARF, ASEAN (dialogue partner), BIMSTEC, BIS, C, CERN (observer), CP, EAS,


IFRCS, IHO, ILO, IMF, IMO, IMSO, Interpol, IOC, IOM (observer), IPU,


(observer), OPCW, PCA, PIF (partner), SAARC, SACEP, SCO




Diplomatic representation in the US: chief of mission: Ambassador

Ranendra SEN
chancery: 2107 Massachusetts Avenue NW, Washington, DC 20008;

note – Consular Wing located at 2536 Massachusetts Avenue NW,

Washington, DC 20008
telephone: [1]  (202) 939-7000 
FAX: [1] (202) 265-4351
consulate(s) general: Chicago, Houston, New York, San Francisco

Diplomatic representation from the US: chief of mission:

Ambassador David C. MULFORD
embassy: Shantipath, Chanakyapuri, New Delhi 110021
mailing address: use embassy street address
telephone: [91] (011) 2419-8000
FAX: [91] (11) 2419-0017
consulate(s) general: Chennai (Madras), Kolkata (Calcutta), Mumbai (Bombay)

Executive branch: chief of state: President Pratibha PATIL

(since 25 July 2007); Vice President Hamid ANSARI

(since 11 August 2007) head of government: Prime Minister

Manmohan SINGH (since 22 May 2004) cabinet: Cabinet

appointed by the president on the recommendation of the

prime minister elections: president

elected by an electoral college consisting of elected

members of both houses of Parliament and the legislatures

of the states for a five-year term (no term limits); election

last held 21 July 2007 (next to be held in July 2012); vice

president elected by both houses of Parliament for a

five-year term; election last held 12 August 2002

(next to be held August 2007); prime minister chosen

by parliamentary members of the majority party

following legislative elections; election last held April –

May 2004 (next to be held May 2009) election results:

Pratibha PATIL elected president; percent of vote – 65.8%;

Bhairon Singh SHEKHAWAT – 34.2%


India‘s diverse economy encompasses traditional village farming,

modern agriculture, handicrafts, a wide range of modern industries,

and a multitude of services. Services are the major source of

economic growth, accounting for more than half of India’s output

with less than one third of its labor force. About three-fifths of the

work force is in agriculture, leading the United Progressive Alliance

(UPA) government to articulate an economic reform program that

includes developing basic infrastructure to improve the lives of the

rural poor and boost economic performance. The government has

reduced controls on foreign trade and investment. Higher limits on

foreign direct investment were permitted in a few key sectors,

such as telecommunications. However, tariff spikes in sensitive

categories, including agriculture, and incremental progress on

economic reforms still hinder foreign access to India’s vast and

growing market. Privatization of government-owned industries

remains stalled and continues to generate political debate; populist

pressure from within the UPA government and from its Left Front

allies continues to restrain needed initiatives. The economy has

posted an average growth rate of more than 7% in the decade

since 1997, reducing poverty by about 10 percentage points. India

achieved 8.5% GDP growth in 2006, and again in 2007, significantly

expanding production of manufactures. India is capitalizing on its

large numbers of well-educated people skilled in the English language

to become a major exporter of software services and software workers.

Economic expansion has helped New Delhi continue to make progress

in reducing its federal fiscal deficit. However, strong growth combined

with easy consumer credit and a real estate boom fueled inflation

concerns in 2006 and 2007, leading to a series of central bank

interest rate hikes that have slowed credit growth and eased

inflation concerns. The huge and growing population is the fundamental

social, economic, and environmental problem.

GDP (purchasing power parity): $2.989 trillion (2007 est.)

GDP (official exchange rate): $1.099 trillion (2007 est.)

GDP – real growth rate: 9.2% (2007 est.)

GDP – per capita (PPP): $2,700 (2007 est.)

GDP – composition by sector: agriculture: 17.6%
industry: 29.4%
services: 52.9% (2007 est.)

Labor force: 516.4 million (2007 est.)

Labor force – by occupation: agriculture: 60%
industry: 12%
services: 28% (2003)

Unemployment rate: 7.2% (2007 est.)

Population below poverty line: 25% (2007 est.)

Household income or consumption by percentage share:

lowest 10%: 3.6%
highest 10%: 31.1% (2004)

Distribution of family income – Gini index: 36.8 (2004)

Inflation rate (consumer prices): 6.4% (2007 est.)

Investment (gross fixed): 34.6% of GDP (2007 est.)

Budget: revenues: $141.8 billion
expenditures: $178.3 billion (2007 est.)

Public debt: 58% of GDP (federal and state debt combined) (2007 est.)

Agriculture – products: rice, wheat, oilseed, cotton, jute, tea, sugarcane,

potatoes; cattle, water buffalo, sheep, goats, poultry; fish

Industries: textiles, chemicals, food processing, steel,

transportation equipment, cement, mining, petroleum, machinery, software

Industrial production growth rate: 8.9% (2007 est.)

Electricity – production: 661.6 billion kWh (2005)

Electricity – consumption: 488.5 billion kWh (2005)

Electricity – exports: 67 million kWh (2005)

Electricity – imports: 1.764 billion kWh (2005)

Oil – production: 834,600 bbl/day (2005 est.)

Oil – consumption: 2.438 million bbl/day (2005 est.)

Oil – exports: 350,000 bbl/day (2005 est.)

Oil – imports: 2.098 million bbl/day (2004 est.)

Oil – proved reserves: 5.7 billion bbl (2007 est.)

Natural gas – production: 28.68 billion cu m (2005 est.)

Natural gas – consumption: 34.47 billion cu m (2005 est.)

Natural gas – exports: 0 cu m (2005 est.)

Natural gas – imports: 5.793 billion cu m (2005)

Natural gas – proved reserves: 1.056 trillion cu m (1 January 2006 est.)

Current account balance: -$19.35 billion (2007 est.)

Exports: $150.8 billion f.o.b. (2007 est.)

Exports – commodities: petroleum products, textile goods, gems

and jewelry, engineering goods, chemicals, leather manufactures

Exports – partners: US 15.1%, UAE 8.8%, China 8.4%, UK 4.3% (2006)

Imports: $230.2 billion f.o.b. (2007 est.)

Imports – commodities: crude oil, machinery, gems, fertilizer, chemicals

Imports – partners: China 10.5%, US 7.8%, Germany 4.5%, Singapore 4.5%

Reserves of foreign exchange and gold: $275 billion (31 December 2007 est.)

Debt – external: $148.1 billion (31 December 2007)

Stock of direct foreign investment – at home: $95.28 billion (2007 est.)

Stock of direct foreign investment – abroad: $37.62 billion (2007 est.)

Market value of publicly traded shares: $818.9 billion (2006)

Currency (code): Indian rupee (INR)

Exchange rates: Indian rupees per US dollar – 41.487 (2007),

45.3 (2006), 44.101 (2005), 45.317 (2004), 46.583 (2003)

Fiscal year: 1 April – 31 March

Telephones in use: 49.75 million (2005)

Cellular Phones in use: 233.62 million (2007)

Telephone system: general assessment: recent deregulation

and liberalization of telecommunications laws and policies have

prompted rapid growth; local and long distance service provided

throughout all regions of the country, with services primarily

concentrated in the urban areas; steady improvement is taking

place with the recent admission of private and private-public

investors, but combined fixed and mobile telephone density

remains low at about 20 for each 100 persons nationwide and

much lower for persons in rural areas; fastest growth is in cellular

service with modest growth in fixed lines
domestic: mobile cellular service introduced in 1994 and organized

nationwide into four metropolitan areas and 19 telecom circles each

with about three private service providers and one state-owned service

provider; in recent years significant trunk capacity added in the

form of fiber-optic cable and one of the world’s largest domestic

satellite systems, the Indian National Satellite system (INSAT),

with 6 satellites supporting 33,000 very small aperture terminals (VSAT)
international: country code – 91; a number of major international

submarine cable systems, including Sea-Me-We-3 with landing sites

at Cochin and Mumbai (Bombay), Sea-Me-We-4 with a landing site

at Chennai, Fiber-Optic Link Around the Globe (FLAG) with a landing

site at Mumbai (Bombay), South Africa – Far East (SAFE) with a

landing site at Cochin, the i2i cable network linking to Singapore

with landing sites at Mumbai (Bombay) and Chennai (Madras),

and Tata Indicom linking Singapore and Chennai (Madras),

provide a significant increase in the bandwidth available for both

voice and data traffic; satellite earth stations – 8 Intelsat (Indian Ocean)

and 1 Inmarsat (Indian Ocean region); 9 gateway exchanges operating

from Mumbai (Bombay), New Delhi, Kolkata (Calcutta), Chennai (Madras),

Jalandhar, Kanpur, Gandhinagar, Hyderabad, and Ernakulam

Radio broadcast stations: AM 153, FM 91, shortwave 68 (1998)

Television broadcast stations: 562 (1997)

Internet country code: .in

Internet hosts: 2.306 million (2007)

Internet users: 60 million (2005)

Airports: 346 (2007)

Airports (paved runways): total: 250
over 3,047 m: 18
2,438 to 3,047 m: 52
1,524 to 2,437 m: 75
914 to 1,523 m: 84
under 914 m: 21 (2007)

Airports (unpaved runways): total: 96
over 3,047 m: 1
2,438 to 3,047 m: 1
1,524 to 2,437 m: 7
914 to 1,523 m: 40
under 914 m: 47 (2007)

Heliports: 30 (2007)

Pipelines: condensate/gas 9 km; gas 7,488 km; liquid petroleum

gas 1,861 km; oil 7,883 km; refined products 6,422 km (2007)

Railways: total: 63,221 km
broad gauge: 46,807 km 1.676-m gauge (17,343 km electrified)
narrow gauge: 13,290 km 1.000-m gauge (165 km electrified);

3,124 km 0.762-m gauge and 0.610-m gauge (2006)

Roadways: total: 3,383,344 km
paved: 1,603,705 km
unpaved: 1,779,639 km (2002)

Waterways: 14,500 km
note: 5,200 km on major rivers and 485 km on

canals suitable for mechanized vessels (2006)

Merchant marine: total: 493 ships (1000 GRT or over) 8,272,533

GRT/14,117,658 DWT
by type: bulk carrier 104, cargo 232, carrier 1, chemical tanker 19,

container 12, liquefied gas 19, passenger 3, passenger/cargo 11,

petroleum tanker 91, roll on/roll off 1
foreign-owned: 12 (China 1, Hong Kong 1, UAE 8, UK 2)
registered in other countries: 59 (Barbados 1, Comoros 2, Cyprus 1,

Dominica 2, Gibraltar 1, Liberia 2, Malta 3, Panama 29, Singapore 10,

St Kitts and Nevis 1, St Vincent and the Grenadines 6, unknown 1) (2008)

Ports and terminals: Chennai, Haldia, Jawaharal Nehru, Kandla,

Kolkata (Calcutta), Mormugao, Mumbai (Bombay), New Mangalore,


Military branches: Army, Navy (includes naval air arm), Air Force,

Coast Guard

Military service age and obligation: 16 years of age for voluntary

military service; no conscription (2008)

Manpower available for military service: males age 16-49:

301,094,084 females age 16-49: 283,047,141 (2008 est.)

Manpower fit for military service: males age

16-49: 231,161,111 females age 16-49: 236,633,962 (2008 est.)

Military expenditures – percent of GDP: 2.5% (2006)


Thanks …my friend…Amudy..







October 12, 2008 Posted by | Uncategorized | Leave a comment


A Guide to Securing ISA Server 2006
Alan Maddison
At a Glance:
  • Best practices for securing your servers
  • Setting up the Security Configuration Wizard
  • A Security Configuration Wizard walkthrough
  • Assigning Administrative roles


While many IT pros rely on ISA Server 2006 (Internet Security and Acceleration Server 2006) to secure their technology assets, few take the extra step of securing ISA Server itself. If you
have recently installed ISA Server 2006, you may recall that there was a reminder to do this immediately after installation is complete. Unfortunately, many of us IT pros rarely take (or have) the time to perform this important step, and so it ends up on that list of things to do that never get done.
In today’s constantly changing security landscape, this failure to secure ISA Server is no longer acceptable. Fortunately, the tools used to secure ISA Server have made tremendous advances. No longer do you have to face many of the challenges in the Security Hardening Wizards found in versions prior to ISA Server 2004. Instead, you can rely on well-defined steps and tools, such as the Security Configuration Wizard (SCW) that ships with Windows Server® 2003.
In this article I will provide a brief recap of general best practices for securing servers. Then I’ll take a step-by-step look at hardening strategies for ISA Server itself, using the Security Configuration Wizard to reduce the attack surface area of the ISA Server and Administrative roles to restrict access to the ISA Server.


Securing Your Servers
There are many elements and best practices involved in securing servers, whether they are located in a datacenter or in the server room next to your office. As an administrator, it is your responsibility to understand what these best practices are and do your best to implement these requirements in a manner that is practical for your organization. As the emphasis on security has become more prevalent in recent years, many of us have become quite familiar with the tasks that form the core of these requirements, so I won’t belabor the points but instead will provide only a brief overview.
The first step you must take to secure your environment is to ensure that your servers are physically secure. What this means in practical terms is that you must restrict physical access to your servers. In smaller environments this means making sure the server room door remains locked and the list of individuals with access to the room remains very small. In larger environments this basic requirement remains very much the same, but it can be implemented in a more sophisticated manner. Many organizations use electronic monitoring, for example. This allows them to audit entry to server locations and even restrict access to individual racks or cages depending on how job responsibilities are structured.
There are some unique factors to consider when dealing with the theft or physical compromise of an ISA Server or an ISA Configuration Storage Server. The nature of the information that can be obtained from the stolen server can potentially compromise all the ISA Servers and traffic (including encrypted traffic) in your environment.
If you suspect a server has been compromised, stolen, or otherwise, remove the affected server immediately (if it’s still on site) and follow standard procedures for securing evidence. After you have taken these necessary steps, you need to begin the process of changing all confidential information—all certificates installed on the server should be revoked and all preshared keys and shared secrets should be modified. In addition, if you maintain a replica Configuration Storage Server, make sure that any data relating to the compromised server is removed.
Once your servers are physically secure, the next step is to ensure that there is a structured methodology for patching all the software, including the virtualization layer, the OS, and applications. Patches, upgrades, and hotfixes should be reviewed and applied regularly. But don’t forget to test these updates before applying them to production systems. A patch won’t do you any good if it ends up causing a problem that compromises application or data integrity.
If data integrity is compromised, you will need to rely on your backups. This brings me to another key element in securing your infrastructure. If you can’t quickly and completely restore data if the need ever arises, the downtime can have a significant impact on your operations and, as a result, increase the cost of an intrusion.
Two other elements to consider are monitoring and auditing. Monitoring your applications and systems is a critical piece of any good security plan. If you don’t take the time to review logs, particularly security-related logs, you are unlikely to ever find intrusion attempts before the damage is already done.
Likewise, auditing is critical. For many organizations, especially large environments, this is often formalized and even required by legislation. Regardless, it is important in any environment to review on a regular basis the controls and methodology used to secure your assets for your efforts to be effective.
Finally, since you’re running ISA Server 2006 on Windows Server® 2003, it is important that you review the Windows Server 2003 Security Guide and implement the necessary recommendations. You can find the Windows Server 2003 Security Guide at microsoft.com/technet/security/prodtech/win­dow­sserver2003/w2003hg/sgch00.mspx.
Microsoft currently recommends implementing the Baseline Security Policy template, but you should not implement any Internet Protocol Security (IPsec) filters.


Setting Up the Security Configuration Wizard
So how can you make ISA Server itself more secure? The primary tool for securing ISA is the SCW. This is an attack surface reduction tool. It creates security policies that target a server’s services, network security, registry, and audit policy, configuring the system for just the services and features it requires. It is important to note that you should only configure ISA Server services that you intend to use. For example, the Web Proxy service is enabled by default, but you should disable this functionality if you don’t intend to use it. Thus, you need to pay close attention to the configuration options the SCW presents to you.
The SCW isn’t installed by default in Windows Server 2003, so the first step is to install it yourself using the Add/Remove Windows® Components applet in the Add or Remove Programs control panel. (Note that the SCW is installed by default in Windows Server 2008.) Once the Windows Components screen has loaded, scroll down and check the box for the SCW.
Once the installation is complete, the application can be found under Administrative Tools. Before you begin using the wizard you must update the SCW by downloading an update for ISA Server 2006 (available at go.microsoft.com/fwlink/?LinkId=122532). This update adds the roles for ISA Server 2006 Standard Edition, ISA Server 2006 Enterprise Edition, and ISA Server Configuration Storage Server.
After you download the update, you need to run the package and extract the files from it. After extracting these files, copy the two .xml files (isa.xml and isaloc.xml) to the SCW kbs folder—in a default installation of Windows Server, this will be c:\windows\­security\msscw\kbs.
When you copy the files, you will be prompted to overwrite two existing files with the same name. These two files are for ISA Server 2004, so you should back them up before overwriting them. The final step is to copy the isascwhlp.dll file to the bin folder, which is typically found in c:\windows\­security\msscw\bin. Once you have completed the addition of the ISA roles to the SCW, you will be ready to begin the installation.
Microsoft generally recommends that you only run the SCW once you have completed the configuration of ISA Server. If you are running Enterprise Edition, this includes the configuration of all the arrays and all the array members.


Running the SCW
The first step is to launch the SCW from Administrative Tools—remember that you need Administrative permissions to successfully complete the SCW process.
Figure 1 shows the first screen of the wizard. If you read through the text on this screen, particularly the warning that says “this wizard detects the inbound ports that are listened to by this server,” you can understand why it is important to have your ISA Server and arrays fully configured prior to beginning this process.

Figure 1 Starting the Security Configuration Wizard (Click the image for a larger view)
If you have not fully configured your environment, there is a good chance that you will need to revise the SCW configuration after completing the ISA configuration. The next screen, shown in Figure 2, asks which action you want to perform. You should select the option to Create a new security policy.

Figure 2 Creating a new security policy (Click the image for a larger view)
You are then instructed to select the server that will serve as the baseline for the policy. Since you are creating a new policy, the default selection is to use the computer on which you are running the SCW. This behavior changes, however, depending on the action you choose to perform on the previous screen. Regardless, it is recommended as a best practice to have the SCW installed on the server you wish to use as the baseline. If the SCW is not installed on the target server, information used to complete the policy will be missing. Thus, to make your life easier, install and run the SCW from the server you want to serve as the baseline.
When you press Next, the SCW will begin analysis of your ISA Server. This analysis includes determining roles that are installed on the server, roles that are likely installed on the server, services that are installed, and basic networking information. When processing is complete, you can view the database by selecting View Configuration Database. The configuration database contains a lot of information, including all supported server roles, client features, and ports.
Then the SCW begins the process of walking you through Role-Based Service Configuration. Pressing Next takes you to the next screen, where you are prompted to select the server roles, as shown in Figure 3. The initial scan performed by the SCW is reliable, and you should find that the correct server roles have already been identified. However, it is very important that you double-check and remove any unnecessary roles. And if the server fulfills multiple roles, make sure all of the appropriate roles are selected.

Figure 3 Specifying server roles (Click the image for a larger view)
One important point to remember if you are running ISA Server 2006 Enterprise Edition is that you have to consider the Configuration Storage Server. If the Configuration Storage Server is installed on a server that also acts as an ISA Server (this, by the way, does not follow recommended best practices but is often done nonetheless), you will need to make sure the Configuration Storage Server role is also selected. You should not use a baseline scan of a server that hosts both roles for servers that actually have just the ISA Server 2006 role.
Next you are prompted to select the client features of the server. In other words, you need to specify the services required by the server. For instance, nearly all servers will require the DNS client, and if a server is a member of a domain, then it will require the Domain member feature.
After you’ve done that, you are shown the Administration and Other Options screen. This is where you indicate the application, administration, and operating system options that use services or rely on network connectivity. Any services not selected by this point will be disabled. But after you make your selections and press Next, you are given the option to select any additional services you want to allow.
Then you move on to configure how unspecified services should be handled. This lets you define what should happen when services that are not included in the main database or installed on the baseline server are found when the policy is being applied. As a general best practice you should choose to disable unspecified services because this will limit any unforeseen attack vectors. Unfortunately, this option can have negative consequences if your servers are unalike in any significant ways; you also need to remember this setting if you add any applications or network services in the future.
The next section of the wizard, which is shown in Figure 4, allows you to review the services that are being modified by the SCW. This confirmation screen provides you with a comparative view of both the current status and the modified status of services after the policy is applied.

Figure 4 Review and confirm service changes (Click the image for a larger view)
After you confirm the services that are going to be changed, you move onto the Network Security section. This is where the SCW would typically let you modify Windows Firewall and IPsec settings. But since you are configuring ISA Server 2006, you have no choice but to skip this section, as shown in Figure 5.

Figure 5 Skipping past the Network Security settings (Click the image for a larger view)
The wizard then moves on to configuring Registry settings that focus on network authentication methods and security. The first screen in this section involves Server Message Block (SMB) signing. The SMB protocol is a core Microsoft networking protocol, and these settings allow for signed communications in order to reduce the likelihood of man-in-the-middle attacks.
The default settings, as shown in Figure 6, provide a good level of security for your ISA Server SMB communications. But you must take into account the impact that will be caused by signing all communications. If you don’t have the spare CPU cycles, you should uncheck the second option. And don’t forget to think about all the servers to which this policy will be applied—if you have servers with different workloads, you need to use the server with the highest CPU utilization as the guideline for whether or not you select this option.

Figure 6 Specifying whether to require signed communications (Click the image for a larger view)
The next set of screens deal with the LMCompatibility level that the ISA Server should use. The first of these screens presents three choices. Unless you have legacy Windows clients (such as Windows 95 or Windows 98) or you use local accounts for access control, you should leave the default choice of Domain Accounts selected.
On the second screen dealing with LMCompatibility level, you provide information about your domain controllers. If you don’t have any Windows NT® 4.0 domains, you can leave the default choice (Windows NT 4.0 Service Pack 6a or later OSs) selected. On this dialog, you should also select that the Clocks be synchronized with the selected server’s clock option. Selecting Next will lead to some additional configuration options for inbound LAN Manager (LM) communication, as shown in Figure 7.

Figure 7 Indicating inbound authentication methods (Click the image for a larger view)
This third screen pertaining to LM­Compatibility level will determine whether the Windows NT LAN Manager (NTLM) version 2 is required and whether LM hashes are stored. You should make sure that neither of these options are selected, provided your environment will support this configuration, as deselecting these two options will improve security significantly. You are then presented with a Registry Settings Summary. Review each entry and confirm that the policy settings are correct.
Next, the wizard takes you to the final section—Auditing. One important point to note about any of the configuration options you make in this section is that they cannot be rolled back. But since auditing won’t affect system functionality, you should not skip this section.
The default selection of “Audit successful activities” will not provide you with event log entries for logon failures. However, information regarding logon failures can offer valuable information about intrusion attempts. Thus, as a general best practice, you should select “Audit successful and unsuccessful activities”.
You can then review your audit configuration and press Next twice to save your security policy. All that is required on this screen, shown in Figure 8, is a file name; however, you can also provide a brief description,. This description can prove useful in large environments where different Administrators share security responsibilities.

Figure 8 Providing a name and description for your security policy (Click the image for a larger view)
Once the file has been saved, you are given the option of applying the policy immediately or later. If you choose to apply the policy later, the process is complete. If you discover that you made any errors in the policy configuration, you can roll back the policy, with the exception of auditing settings.


Administrative Roles
Reducing the attack surface of your ISA Server is a critical step in reducing the potential for breaches from external sources. However, it’s also important to review the assignment of Administrative roles within ISA Server to limit the potential for compromise from internal sources. The Administrative roles and a partial list of common associated tasks are shown in Figures 9 and 10.
As you can see, there is a high degree of segmentation in the administrative tasks associated with ISA Server. This, in turn, should make it easy for you to assign the correct roles to users within your organization.
Beyond this, what you need to remember is that the best approach to role assignment is to employ the concept of least privilege. Any given user should have only the least amount of privileges necessary to allow him to do his job.
It is also important to remember that members of the local Administrators group on ISA Server 2006 Standard Edition have the same rights as an ISA Server Full Administrator. With Enterprise Edition, members of the local Administrators group on the server with the Configuration Storage Server role have complete control over the Enterprise configuration. This means that you need to carefully review the membership of the Domain Admins group, assuming your ISA Server is a member of a domain, as well as any other group that is a member of the ISA Server’s local Administrators group.

October 6, 2008 Posted by | Uncategorized | Leave a comment


Windows Administration
Disaster Recovery: Active Directory Users and Groups
Gil Kirkpatrick
At a Glance:
  • Mechanics of replication and object linking
  • Using NTDSUTIL to back up and restore
  • Authoritative and non-authoritative restores
Active Directory is one of the most critical services in a Windows network. To avoid downtime and loss of productivity, it’s essential that you have effective disaster recovery plans in place for problems related to Active Directory. This point may sound obvious, but it’s
amazing how many administrators don’t have a plan for one of the most common Active Directory® failure scenarios: accidental deletion of data.
Accidental deletion of objects is one of the most common root causes of service failure. When I do seminars and conferences, I often ask who has had an Active Directory failure due to accidental deletion of data. And every time, nearly everyone raises his hand.
To understand why data recovery is so complex, you first need to understand the following: how Active Directory stores and replicates objects, how it deletes objects, and the mechanics of authoritative and non-authoritative restores.
Storing Objects
Active Directory is a specialized object database that implements the X.500/LDAP data model. The data store (called the Directory In­for­mation Tree or DIT) is based on the Ex­tens­ible Storage Engine (ESE), an indexed sequential access method (ISAM) database engine. Conceptually, Active Directory stores the DIT in two tables: the data table (which contains the actual Active Directory objects and attributes), and the link table (which contains the relationships between objects).
Each Active Directory object is stored in a separate row in the data table, with one column per attribute. The data table contains all the entries for all of the replicas stored on the domain controller (DC). On a normal DC, the data table contains entries from the domain NC (naming context), the configuration NC, and schema NC. On a global catalog, the data table contains entries for each object in the forest.
Active Directory uses the distinguished name tag (DNT)—a 32-bit integer—to uniquely identify each row in the data table. The DNT, used to refer to objects internally, is much smaller than other identifiers like the distinguished name (DN) and the ob­ject­GUID (a 16-byte binary structure). But unlike the objectGUID, the DNT is a local identifier, and is different on each DC.
How Active Directory Links Objects
Active Directory manages two kinds of relationships between objects in the DIT: the parent-child relationship (also referred to as the container relationship) and the reference relationship (also referred to as the link relationship). To implement the parent-child relationship, Active Directory stores an additional column in the data table called the parent distinguished name tag, or PDNT. This column always contains the DNT of the object’s parent.
Each attribute in Active Directory is defined by an attributeSchema object in the Active Directory Schema container. Certain attributes in Active Directory are defined as link attributes, as determined by an even, non-zero value in the linkID attribute of the attributeSchema object. Link attributes establish a relationship between objects in the directory and can be single-valued or multi-valued. The member attribute of a group object is an example of a multi-valued link attribute—it establishes a link between the group object and its member objects.
Even though it appears that the member attribute of a group contains the DNs of the members (as displayed by the Active Directory Users and Computers snap-in, for instance), this is not how Active Directory stores them. When you add the DN of a member object to a group’s member attribute, Active Directory stores the object’s DNT, not its DN. Since the DNT doesn’t change, even when an object is renamed, you can rename a user object and Active Di­rectory won’t have to sort through all the groups in the system to update the DN in each of the member attributes. This is how Active Directory maintains referential integrity within the DIT. Figure 1 shows a representation, though greatly simplified, of how the data table and link table relate to each other. These tables show that the three user objects—Molly Clark, Alexander Tumanov, and Makoto Yamagishi—are all members of the Senior Engineers group.
These links are called forward links. Similarly, Active Directory also provides backward link attributes. These provide a reference from the linked-to object back to the object that refers to it, meaning the object with the forward link. The memberOf attribute for users and groups is an example of a back link attribute. The attribute­Schema object that describes a back link attribute has a linkID value that is one greater than the even-numbered linkID value of the corresponding forward link attribute. For instance, the member attribute in the Windows Server® 2003 R2 schema has a linkID value of 2; the memberOf attribute that serves as the back link has a linkID value of 3. For more information Figure 2 provides a list of the linked attributes defined by default in the Windows Server 2003 R2 schema.
Back link attributes are always multi-valued and they’re maintained automatically by Active Directory. In fact, you can’t directly modify a back link attribute. Even though it appears that you can modify the memberOf attribute of a user or group through the Active Directory Users and Computers MMC snap-in, the snap-in is actually modifying the member attribute of the corresponding group, and Active Directory updates the memberOf attribute behind the scenes. This is why you don’t need permissions on the user object to add the user to a group; you are really only modifying the member attribute of the group object. Because each DC manages its back link attributes locally, changes to back links are never replicated. Only the change to the forward link attribute, such as the member attribute of a group, is replicated.
On a normal DC, the data table contains entries for domain objects as well as objects from the Configuration and Schema containers. But some group types can contain references to objects that reside in another domain. How does Active Directory store a DNT for an object that is not in its data table? The answer lies with the Infrastructure Master FSMO (Flexible Single Master Operations) role owner and something called a phantom object.
Phantom Objects
When you add a member from one domain to a group in another domain, Active Directory automatically creates a special object in the data table called a phantom, which contains the objectGUID, objectSid, and DN of the new member. This provides a DNT that can be stored in the member attribute of the group. If a domain controller is a global catalog, it will not need to create a phantom because it already has an entry in its data table for each object in the forest.
The DC that holds the Infrastructure FSMO role periodically checks the entries in its data table against a global catalog and when it finds that an object has been moved, renamed, or deleted, it updates the phantoms in the data table and replicates the change to the other DCs in the domain. And by virtue of a reference count, the infrastructure master can also remove phantoms that are no longer referred to by any forward link attribute in the domain.
Phantoms allow DCs to manage references to objects in other domains within the forest, but forward link attributes can also refer to objects that are outside the forest—for instance, in a trusted domain. In this case, Active Directory creates an object called a foreign security principal (FSP) in the CN=ForeignSecurityPrincipals container in the domain NC. The FSP contains the foreign object’s Security Identifier (SID) and other attributes that identify the object in the foreign domain, but there is no process to ensure that the FSP is kept up to date. For the purposes of data recovery, we treat FSPs as we would any other Active Directory object.
Deleting Objects
Here, I focus primarily on restoring users and their group memberships. However, the same principles apply to recovering other linked attributes.
When Active Directory deletes an object, it doesn’t physically delete the object from the DIT. Instead, it marks the object as deleted by setting its isDeleted attribute to true, which renders the object invisible to normal directory operations. Active Directory removes all attributes that are not designated to be saved, as defined by the schema, and changes the relative distinguished name (RDN) of the object to <old RDN>aDEL:<objectGUID>. It then moves the object to the CN=Deleted Objects container for the NC. (There are some classes of objects in the Configuration NC that Active Directory does not move to the Deleted Objects container.) Active Directory removes any forward links to other objects that the deleted object holds—which reduces their reference count in the link table. If there are other objects that contain forward links to the now deleted object, Active Directory removes those links as well.
The resulting object is a called a tombstone. Active Directory replicates this tombstone to other DCs, where the same changes are made. Note that Active Directory does not replicate the changes made to forward links that refer to the deleted object. Each DC makes the equivalent change locally, so there is no need to replicate it. This has consequences for recovering group memberships, as I will discuss later in the article.
Active Directory maintains tombstoned objects in the DIT as determined by the tombstoneLifetime attribute of the CN=Directory Service,CN=Windows NT,CN=Ser­vices,CN=Con­fig­ura­tion,DC=<root domain> object. The garbage collection process on each DC removes tombstones that are older than the configured tombstone lifetime. By default, the tombstone lifetime is 60 days for Win­dows® 2000, Windows Server 2003, and Win­dows Server 2003 R2. It is 180 days for Win­dows Server 2003 SP1.
The tombstone lifetime has a significant bearing on the restore process. You cannot restore from a backup that is older than the tombstone lifetime. Because objects that have been deleted and then garbage collected from the domain no longer have tombstones, the deletion operation will never re-replicate to the restored DC. The deleted objects will then remain on the restored DC as lingering objects and the restored DC will never properly converge with the other DCs in the domain.
Replicating Objects
Whenever a domain controller performs an update operation of any sort—for instance adding an object or modifying an attribute—the DC assigns a unique 64-bit number to the update operation, called an update sequence number (USN). Active Directory tags the objects and attributes that are updated with the USN to help determine whether they need to be replicated.
Active Directory replicates objects on an attribute-by-attribute basis. That is, if you modify an attribute of an object, Active Directory will replicate just that attribute, not the entire object. To do this, Active Directory keeps track of the changes it makes to each attribute with replication metadata. The replication metadata for an attribute includes:

  • The local USN, which identifies the change operation on the local DC.
  • The invocationID of the DC that originated the change (specifically, the invocationID attribute of the DC’s corresponding nTDSSettings object), which identifies a particular generation of the DIT on a domain controller.
  • The USN of the original operation as it exists on the originating DC.
  • A time stamp that contains the DC system time for when the originating change was made.
  • A 32-bit sequential version number that is incremented each time the value is changed.
When a destination DC requests changes from its source DC partner, it sends the USN of the last successfully replicated change to the source DC along with an up-to-dateness vector that includes the largest originating USN the destination DC has seen from each DC that has a replica of the NC being replicated. The source DC uses this information to send only those updates that the destination DC has not already seen.
As the destination DC processes the incoming attribute updates, it checks the version number of each attribute. If the version number of an incoming attribute is greater than the version the DC already has for that attribute, the DC stores the incoming value. If the incoming version number is equal to the version the DC already has, the DC compares the timestamps and uses the attribute with the latest timestamp. If the timestamps are the same, the destination DC chooses the value with the largest invocationID. This guarantees that every DC will eventually settle on the same value for every replicated attribute.
Linked Value Replication
In Windows 2000, Active Directory replicated multi-valued attributes in the same fashion as single-valued attributes. This caused problems for large, dynamic group objects whose multi-valued member attribute could change frequently on different DCs. If an administrator added a user to a group on one DC and a different administrator added a different user to the group on another DC within the replication latency window, Active Directory would choose the later addition and completely lose the earlier addition. Microsoft addressed this problem in Windows Server 2003 with a process called linked value replication (LVR).
With Windows Server 2003 forest functional level or interim forest functional level, Active Directory replicates the individual values of multi-valued forward link attributes separately, with each value having its own replication metadata. This effectively solves the problem found in Windows 2000 where nearly simultaneous updates of group membership on different DCs could cause data to be lost.
There is one point to be aware of, however. Raising the forest functional level does not automatically fix up existing multi-valued link attributes with the new replication metadata. Only values that are added after raising the forest functional level will have the new metadata. This will have a significant effect on recovering group memberships, as you’ll see in a moment.
Backing Up
Windows includes the very basic NT­BACK­UP utility, which can be used to perform a system state backup of a DC. The system state of a domain controller includes its registry, SYSVOL, Active Directory DIT files, and critical system files. Most third-party backup utilities also have the ability to backup and restore the system state of a DC.
To perform a system state backup to a disk file, use the following command:
NTBACKUP backup systemstate /F “<filename>”
Here, <filename> is the name of the backup file to be created and should use the .bkf extension.
Performing a Non-Authoritative Restore
Restoring deleted Active Directory objects from backup is a two-step process. First, you reboot the DC into Directory Services Restore mode (DSRM) and then you restore the entire Active Directory DIT from the system state backup using the Windows NTBACKUP utility or an equivalent third-party product. This process will overwrite the entire DIT.
There are two ways to boot a DC into DSRM. If you have access to the system console of the DC, shut down and restart the DC and press F8 when prompted to bring up the Windows boot menu. Select Directory Services Restore from the menu and enter the DSRM password.
If you are managing the server remotely, you won’t be able to access the Windows boot menu. Instead, you can change the system boot options by selecting Properties from My Computer, clicking the Advanced tab, and pressing the Settings button located under Startup and Recovery. Press the Edit button in the System startup section to edit the boot.ini file, and add the switch /SAFE­BOOT:DSREPAIR to the end of the line, as shown in Figure 3. (For more information about boot.ini switches, see microsoft.com/technet/ sysinternals/information/bootini.mspx.)

Figure 3 Setting boot options for DSRM (Click the image for a larger view)
When you reboot the server, it will come up in DSRM. Remember that you have to remove the /SAFEBOOT switch from boot.ini when you want to restart the DC in normal mode.
Once you’ve logged in using the DSRM password, restore the system state backup using the NTBACKUP command again, but without specifying any parameters. (You can’t perform a restore using NTBACKUP from the command line.) When the wizard comes up, select Restore files and settings and click Next. Then select the backup file and check the System State box as shown in Figure 4.

Figure 4 Using the Backup or Restore Wizard to restore system state (Click the image for a larger view)
If you were to boot the DC back into normal mode at this point, the Active Directory replication process would bring the restored domain controller back into sync with the other DCs in the domain, and all of the restored data would be overwritten with current data. Clearly, this isn’t your goal. Instead, you need a way to force the objects being restored to replicate out to the other domain controllers in the domain.
Performing an Authoritative Restore
NTDSUTIL also increases the version number of each attribute by 100,000 for each day between the date of the backup and the date of the restore. Unless there are attributes that are being updated more than 100,000 times a day (a pretty unlikely scenario), the version number of the restored attributes will be much greater than the version numbers held by other DCs, and the authoritatively restored object will replicate to the other DCs. The other objects that were restored non-authoritatively from backup will be ultimately overwritten by the existing data from the other domain controllers.
After you’ve completed the non-authoritative restore, but before you reboot into normal mode, you use the NTDSUTIL program to perform an authoritative restore of the objects you want to recover. Despite the name, authoritatively restoring an object does not “restore” it; it simply ensures that Active Directory will replicate the object to the other DCs. To do this, NTDSUTIL assigns the next available USN to the local USN of the attributes of the object. This causes the object to be sent to replication partners the next time they synchronize. To restore a single object, make sure the DC is booted in DSRM, and follow these steps:
  1. Open a command window and type:
  2. At the ntdsutil prompt, type:
    authoritative restore
  3. At the authoritative restore prompt, type:
    restore object “<DN of object to be restored>”

    For example, if you want to restore the Molly Clark account from the Eng OU in the DRNET domain, you would enter:

    restore object “CN=Molly Clark,OU=Eng,DC=DRNET,DC=com”

    If you want to authoritatively restore an entire directory subtree, for instance an OU, you would instead enter:

    restore subtree “OU=Eng,DC=DRNET,DC=com”

    (NTDSUTIL also provides a restore database command that authoritatively restores the entire domain as well as the configuration and schema NCs. Restoring the entire domain is fraught with peril and I don’t recommend you use that option. If you need to restore an entire domain, you should restore one domain controller and repromote the other DCs in the domain as described in “Planning for Active Directory Forest Recovery“,

  4. When prompted, confirm that the authoritative restore should increase the version numbers of the respective objects and their attributes.
  5. Exit ntdsutil (you’ll need to type quit two times).
  6. Reboot the DC into normal Active Directory mode.
The next time the DC replicates with its partners, the user you restored will replicate out. But restoring the user object is only half the problem. When you introduce object links like those between a group and its members, the situation is more complicated. There are a few fundamental problems you may face during and after the restore, which I will describe in the next few sections.
First, let’s review what happens when you delete an object that has back links. Say you delete a user object that is a member of one or more groups. Each domain controller that has a copy of the user object will convert it into a tombstone and remove any references from the link table, thereby removing the user object from any group memberships in the user’s domain. (Remember that removing the user from group memberships is not a replicated change since each DC updates the group membership locally. The version number and local USN of the group’s member attribute remain unchanged.) A short time later, the phantom objects will be removed from the link tables in other domains, again without updating the replication metadata of the group’s member attribute.
When you non-authoritatively restore the DIT on a domain controller in the user’s domain, you recover the user object along with all of the group memberships in groups in the domain, so the restored DC is self-consistent. And after you use the NTDSUTIL utility to authoritatively restore the user, the user object replicates out to all the other DCs in the domain.
But because the replication metadata of the current groups in the domain is unchanged, the member attributes of the groups on the restored DC are inconsistent with those on the other DCs. And there is nothing to make them converge on a common state. Thus, the user’s memberships will not be restored on the other DCs in the domain.
Problem: Group Memberships within the Domain Don’t Restore
Authoritatively restoring the user object does not recover the user’s group memberships. Why not? Because the membership relationship is stored and replicated using the member attribute of the group objects (the forward-links), not the memberOf attribute of the user (the back-link). The problem is how to find the user’s old group memberships and, once you know them, how to recover them properly.
Microsoft has made incremental improvements to the process of recovering a user’s group memberships, so the technique you use depends on the version of Active Directory you are running. The following section applies primarily to Windows 2000 Active Directory.
Determining the user’s old group memberships is pretty easy: simply inspect the backlink attribute on the restored DC—in this case, the memberOf attribute of the user object. The memberOf attribute will contain all of the memberships to local and global groups in the user’s domain. You can use the Active Directory Users and Computers MMC snap-in (ADUC), or you can use the LDIFDE utility, which is included with Windows Server, to list the restored user’s group memberships.
The following LDIFDE command line will list the groups in the DRNET domain that Molly Clark is a member of, storing the results in the output.ldf file:
C:\> ldifde –r “(distinguishedName=CN=Molly Clark,
OU=Engineering,DC=DRNET,DC=Local)” –l memberOf –p Base –f output.ldf
Note that you must boot the DC into normal mode to use any LDAP tools and, again, you must disable inbound replication; otherwise the data you restored would be overwritten. The easiest way to disable inbound replication is to use the REPADMIN command:
Here, <dcname> is the name of the DC you are restoring to. And don’t forget to re-enable replication using –DISABLE_INBOUND_REPL when you are finished.
If you are recovering only a few users, simply adding the user back to the groups manually using ADUC is pretty easy. If you are recovering more than a few users, there are some tools that can automate some of the process. The Microsoft GROUPADD utility (available from Microsoft Product Support Services) can accept the LDIF file you created to list the user’s old group memberships, and in turn generate an LDIF file that recreates those memberships. For instance, you would use this GROUPADD command to process the LDIF file we created in the earlier example for Molly Clark:
C:\> groupadd /after_restore output.ldf
This command will create a new LDIF file for each domain that Molly Clark had group memberships in with the name groupadd_<domain>.ldf (where <domain> is the fully qualified domain name of the domain whose groups will be updated). You would import the LDIF file created above with the following command:
C:\> ldifde –i –k –f groupadd_child.drnet.net.ldf
With Windows Server 2003, Microsoft improved NTDSUTIL to take advantage of the additional metadata that is present in the member attribute to support link-value replication (LVR). If the restored user object had been a member of any groups in the domain, and the user’s group membership was stored with LVR metadata, then NTDSUTIL increases the version number of the corresponding value of the member attribute, which then causes the restored membership to replicate out.
The Windows Server 2003 SP1 version of NTDSUTIL incorporates the GROUPADD functions and will automatically create LDIF files as it performs the authoritative restore of the user object. Figure 5 shows the new version of NTDSUTIL, and Figure 6 shows the contents of the automatically created LDIF file.

Figure 5 New NTDSUTIL with GROUPADD capabilities built in (Click the image for a larger view)
If you are restoring an entire OU that contains a number of users and groups, adding the users back to their groups manually is quite tedious. Another way to recover the restored group memberships is to authoritatively restore the groups themselves.
There are two problems with authoritatively restoring groups, though. The first problem is fairly obvious: if you restore a group, the membership in that group will revert to its state as of the time of the backup. This means that any changes you have made to the group since the last backup will have to be reapplied to the group. The second problem is a little more subtle and has to do with the way Active Directory replication works. After an authoritative restore of both users and groups, there is no guarantee in which order they will replicate out. If a group object replicates to a DC before the restored user object, the replicating domain controller will automatically remove the user reference from the group because the user object does not yet exist on that DC. When the user object replicates in later, it will not be added to the group.
The easiest solution to this problem is to perform the authoritative restore of the groups a second time. After you perform the first authoritative restore, reboot into normal mode and make sure that replication takes place properly. Then reboot back into DSRM and run NTDSUTIL to perform an authoritative restore of the groups the user was a member of. This guarantees that when you boot back into normal mode, the user object will have replicated out before the group objects referring to it replicate.
Problem: Group Memberships in Other Domains Don’t Restore
The “which groups was this user a member of” problem is actually more difficult than I’ve described. The user you’re restoring may have been a member of domain local and universal groups in other domains and those group memberships will not be restored when you do the non-authoritative restore. So how do you know what groups the user belonged to in other domains? The answer is in the global catalog. Along with its own domain’s data, the global catalog contains a read-only copy of the data from the other domains in the forest.
To take advantage of the global catalog’s forest-wide data, you must perform the non-authoritative restore on a global catalog, which means you must have backed up a global catalog to begin with. Now, when you run LDIFDE to identify the user’s group memberships, you can find out the user’s universal group memberships from other domains.
When you list the group memberships of the user you are recovering, connect to the global catalog port 3268 instead of the default 389, and specify the root domain of the forest as the base of the search. LDIFDE will display the recovered user’s group memberships, including membership in universal groups in all the domains in the forest. Here’s how to do this:
C:\> ldifde –r “(distinguishedName=CN=Don Clark,
OU=Engineering,DC=DRNET,DC=Local)” -t 3268 –l memberOf –p Base –f output.ldf
If you run GROUPADD or the new NTDSUTIL on a global catalog, you will produce one LDIF file for the user’s domain, and one LDIF file for each domain in which the restored user was a member of a universal group. When you import these LDIF files, you will restore all the group memberships for the user. Well, almost all—which brings us to the next problem.
Problem: Recovering Domain Local Group Memberships in Other Domains
There are three kinds of groups in a Windows Active Directory environment. Global groups can only contain members in the same domain, but can be used as a member within domain local groups in its own domain and other domains in the forest. The member attribute of global groups does not appear in the global catalog, but this is not an issue because global groups only contain members from their own domain. Universal groups can contain members from any domain and can be used as members in other universal groups in the forest and in domain local groups in its own domain and other domains in the forest. The member attribute of universal groups is replicated to global catalogs. Domain local groups can contain members from any domain in the forest, but cannot be used as members in groups in other domains. More importantly, the member attribute of domain local groups, like that of global groups, does not appear in the global catalog. The result is that there is no easy way to recover the user’s membership in domain local groups in other domains.
Before Windows Server 2003 SP1, the only way to recover domain local group memberships in foreign domains was to restore a DC in each domain, manually search the domain data for any domain local groups that contained the restored user, and then add the user back to the groups you identified. In a large environment with lots of domains, this approach is prohibitively time-consuming.
The Windows Server 2003 SP1 version of NTDSUTIL can help. When you run NTDSUTIL on a domain controller, the utility creates a text file that contains the DN and GUID of the restored user objects. Then for each foreign domain, you can non-authoritatively restore a single DC, copy the text file to the DC, and run NTDSUTIL to generate a new domain-specific LDIF file that adds the recovered user back to the domain local groups it was a member of.
To do this, perform the following steps on a DC in each foreign domain:

  1. Boot the DC in the foreign domain into DSRM.
  2. Use NTBACKUP to restore a copy of the DIT that contains the restored user’s group memberships.
  3. Copy the .txt file created by NTDSUTIL to the current DC.
  4. Open a command window and type ntdsutil.
  5. Type authoritative restore.
  6. Type create LDIF file(s) from <file name> (where <file name> is the name of text file).
  7. Type quit two times to exit ntdsutil.
  8. Reboot the DC to normal Active Directory mode.
  9. Type ldifde –i –f <ldif filename> (where <ldif filename> is the name of the LDIF file you just created).
And now you have restored all the deleted user’s group memberships.
Recovering Active Directory users and their group memberships, particularly in a multi-domain environment, is complicated. The specific steps required to properly recover group memberships depend on the version of Windows you are running.
If you are running Windows 2003 SP1, you would take the following steps:

  1. Boot a GC into DSRM and perform a system state restore using a backup that contains the deleted user.
  2. Use NTDSUTIL to perform an authoritative restore of the deleted user. NTDSUTIL will create a text file containing the restored object DNs and GUIDs, and one or more LDIF files to restore the user’s group memberships.
  3. Use LDIFDE –i –f <LDIF filename> (where <LDIF filename> is the name of the LDIF files created in step 2) to import the group memberships in the current domain and other domains.
  4. Reboot the global catalog into normal mode.
  5. On a DC in each foreign domain, boot into DSRM and perform a system state restore using a backup that contains the group memberships of the restored user.
  6. Run NTDSUTIL using the create ldif files command.
  7. Reboot the DC into normal mode.
  8. Using LDIFDE –i –f <filename> (where <filename> is the name of the LDIF file you created in step 6) to restore the group memberships in the foreign domain.
  9. At this point you can optionally force replication with REPADMIN /syncall.
If you are running a version of Windows Server 2003 without SP1 installed, or if you are running Windows 2000, there are some additional steps involved. Since the older version of NTDSUTIL doesn’t create LDIF files, use the GROUPADD utility to create them. The process is:

  1. Boot a global catalog into DSRM and perform a system state restore using a backup that contains the deleted user.
  2. Disable the NIC or unplug the cable to prevent inbound replication.
  3. Reboot the global catalog in normal mode.
  4. Use LDIFDE –r “(distinguishedName=<dn>)” -t 3268 -l memberOf –p Base -f membership.ldf to dump the membership of the user with the distinguished name <dn>.
  5. Use GROUPADD /after_restore membership.ldf to create LDIF files.
  6. Use LDIFDE –i –f <filename> (where <LDIF filename> is the name of the LDIF file created by GROUPADD in Step 5) to import the group memberships in the current domain and other domains.
  7. Re-enable inbound replication using REPADMIN /options <dcname> -DISABLE_INBOUND_REPL.
  8. On a DC in each foreign domain, boot into DSRM and perform a system state restore using a backup that contains the group memberships of the restored user.
  9. Reboot the DC into normal mode.
  10. Using LDIFDE –i –f <filename> (where <filename> is the name of the LDIF file created by GROUPADD in step 5) to restore the group memberships in the foreign domain.
  11. At this point, you can optionally force replication with REPADMIN /syncall.
The only thing left now for the pre-Windows Server 2003 SP1 environment is to recover the foreign domain local group memberships for the restored user. Your only choices are to manually restore the domain local group memberships or to restore a DC from backup and authoritatively restore the domain local groups.
Even though it’s quite easy to accidentally delete users or even OUs from Active Directory, properly recovering the deleted users and their group memberships can be surprisingly complex, time-consuming, and error-prone. To ensure that you can recover from these sorts of disasters as quickly as possible, you have to understand the mechanics of object linking, replication, deletion, and authoritative restores.
Do you think you can get all the steps right the first time you try this in your production environment? To make sure you’re ready the next time you have to recover the CEO’s user object, have a written plan prepared for recovering deleted objects. And be sure to practice the plan at least once or twice before you have to try it on real data. Your boss (and your CEO) will appreciate it.
Gil Kirkpatrick is the CTO at NetPro and has been developing software for Active Directory since 1996. Along with Guido Grillenmeier from HP, he delivers the popular Active Directory Disaster Recovery workshops. Gil is also the founder of the Directory Experts Conference (www.dec2007.com).

© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.

October 6, 2008 Posted by | Uncategorized | Leave a comment


Boys Don’t Cry
How do we help boys grow up emotionally strong? How to nurture a healthy relationship with your son.

“Don’t be a mama’s boy.”

“Be a little man.”

These expressions, so embedded in American culture, are our early attempts to socialize young boys into the roles we will eventually demand of them, says William Pollack, a professor of psychiatry at Harvard Medical School and director of the Center for Men at McLean Hospital in Massachusetts. These sayings may seem innocuous, but such words “tell boys that they can’t show feelings of connection,” he says. “Boys are yearning for adult connection.”

Pollack, the author of the book Real Boys, believes our assumptions of how boys should behave—that anger, rage and aggression are normal, that “boys will be boys”—are at the root of rapid increases in the diagnosis of ADHD and depression in boys. He says violence is also a by-product of the struggles that boys and young men face.

“These are illnesses we create as a society,” says Pollack, who presented his research at a New York Academy of Sciences conference on youth violence prevention. He calls behavioral problems in boys a “silent crisis”: Many boys appear happy, tough and confident, but are really depressed, lonely and sometimes violent.

Parents often assume that giving boys too much attention and love will result in dependent and clingy kids, especially in their relationships with their mothers. As a result, boys are told to be strong and independent at the tender ages of 3, 4 or 5 years old, a process that stunts healthy emotional development and interrupts the attachment process, Pollack says. Frequently compounding boys’ detachment is the absence of father figures. Girls, on the other hand, are often encouraged to maintain a close bond to both their mother and father through childhood.

How can parents help their boys grow up emotionally strong? Pollack says parents should dispense with the notion that boys should get “hard knocks” to help them grow into independent, self-sufficient adults.

September 6, 2008 Posted by | Uncategorized | Leave a comment

Girls psychology…….

Girl’s Psychology

*** Fraud with Innocent Boys ***

*** Fun with Handsome Boys ***

*** Friendship with Charming Boys ***

*** Contact with Intelligent Boys ***

*** Flirt with Freaky Boys ***

*** Love with Faithful Boys ***

& in the end

*** Marriage with the Rich Boy ***

!!! Moral of the story !!!

Chandramukhi ho yaa Paaro, Sab Ek jaisi hai Yaaro !

September 2, 2008 Posted by | Uncategorized | Leave a comment

A brief of Friendship….

Meaning of F.R.I.E.N.D.S.H.I.P

F” is for Fun…………That friends share when they are together.

“R” is for Reliability….A true friend is someone that you can always
rely on.

“I” is for Interest…….Someone who is genuinely interested in you,
your fears, joys, and life.

“E” is for Energy………They pick you up when you are down, and give
you the energy to go on and believe in yourself.

“N” is for Nothing……..Nothing is ever too much, no matter what time
it is, night or day.

“D” is for Distance…….Although the miles may separate you, a true
friend is never far away.

“S” is for Secrets……..Your feelings and personal/private thoughts
that you can only share with a friend.

“H” is for Happiness……The way I feel when we are together.

“I” is for Inseparable….Through good times and bad, tears and
laughter. A friend will always be there for you.

“P” is for Perfect……..The friendship

September 2, 2008 Posted by | Uncategorized | Leave a comment

About Me……

Hi myself Akshay …..’Akshay’ means to dedicate, give in, or devote something to someone out of respect with complete faith. People devote flowers to God, services to poor, and some even devote their complete lives to a cause or belief…nd really i am one of them who can do anything for anybody…

Also want 2 tell u about my self that i m very shy,sly,simple,sober,nd funny 2……

I m not selfish,i am a person who alwayz thinks 4 other happiness first nd alwayz ready 2 help others any time…also not suffering from desease like ego or jeleous..I dislike people cheating me or even forcing me.

According2 me life is the most wonderful nd precious gift which is given by god 2 us…so enjoy it with full zeal nd make it large by spreading happiness all around…life is short & one should enjoy every moment of it…

I m very decent type banda who have blog on wordpress just 2 b in touch of my older frndz nd 2 make new nd true frndz….i m here not 4 time passing, dont want to time pass with anyone and also don’t want myself as anyone timepass…i like 2 plays pranks with my friends…this is like my hobby…but 4 sometime not lawayz.

I m also a very immotional type person….
mein bohot jaldi kisi seh bhi immotionly touch ho jaata hu…nd may be its my biggest weakness…

My frndz are like my family members…i luv all of them so so much…Here i found very gud friendz  nd laso never forget them at all…itz is not that my others friendz are not gud but with rest of my frndz never talked so much as much with them…….i hope they will also never forget me ……….i luv just collecting pics of my favroites…bas yehi hai MERI KAHANI


September 2, 2008 Posted by | Uncategorized | Leave a comment

Hello world!

Welcome to my blog….

This is Akshay..

How I think of myself:  

  • Sweet
  • Innocent
  • Honest

How my friends think of me:

  • Stubborn (in a good way)
  • Opinionated
  • Obsessed with my hair

How I really am:

  • Loyal
  • dedicated
  • borderline obsessive

My social views are conservative, my politics are moderate, and my approach to English spelling and grammar is quite unliberal.

I’ve lived and studied in various locations in both Orissa and the Gujarat, so I know what I’m talking about, most of the time anyway.

August 29, 2008 Posted by | Uncategorized | 2 Comments